www.isaca.org
IT Audit Basics
Other CAATs
The areas of work of an IS auditor extend to evaluating
security relating to operating systems, databases and the network. There are tools that can be run to find the various parameter settings that influence security. These tools also can
compare the settings against the defined security policy of the
organization and list the noncompliances. Some of these tools
have specific versions for different technology platforms, and
the right one needs to be procured. The use of these tools
brings a consistency to the security evaluation process and also
speeds it up. However it should be remembered that these tools
do only a portion of the evaluation and need to be supplemented by observation and scrutiny of system administration practices and procedures.
The evaluation of network security uses tools such as sniffers and scanners. It also is acceptable to perform attack and
penetration testing (after proper preparation and approvals)
that detect vulnerabilities in networks. This involves the use of
tools, many of which are available freely on the Internet. While
using this, the auditors need to exercise due care to ensure their
integrity and reliability by due testing and other references.
Traditionally, textbooks have detailed methods using test
decks and other software testing mechanisms as tools. While
these are true, their application by auditors is becoming rare.
The huge improvements in the quality and reliability processes
reinforced by certifications in the software industry, the rigorous user acceptance testing and signoffs by aware users have
made testing by auditors redundant throughout the years.
Auditors should examine the environment in which they operate
and decide accordingly on software testing, using techniques
such as test decks, audit hooks and integrated test facilities.
References
Web sites of selected audit software vendors (illustrative):
www.acl.com
www.caseware-idea.com
www.wizsoft.com
www.ecora.com
233